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Core  ideology  provides  the  bonding  glue  that  holds  an  organization  together  as  it  grows, 
decentralizes,  diversifies,  expands  globally,  and  attains  diversity  within... Core  values  are  the 
organization’s  essential  and  enduring  tenets — a  small  set  of  timeless  guiding  principles  that 
require  no  external  justification;  they  have  intrinsic  value  and  importance  to  those  inside  the 
organization. 

Built  to  Last,  Collins  and  Porras  [1994] 

A.  INTRODUCTION 

The  meaning  of  the  current  terms  information  technology,  information  assurance  (lA),  information 
survivability,  and  survivable  dependable  systems  will  undoubtedly  change  over  time.  This  is  because 
technology  will  continue  to  advance,  new  market  opportunities  will  open,  and  challenging  needs  wiU 
evolve.  Undoubtedly,  innovation  will  continue  to  dominate  our  science-  and  engineering- based 
commerce  and  industry,  and  the  national  and  international  social  fabric,  order,  and  interconnectedness 
will  chart  unimaginable  roads  in  currently  unejq5lored  terrain.  lA  is  the  emerging  view  of  survivability, 
which  merges  several  disciplines,  including  risk  assessment  and  management,  reliability,  fault  tolerance, 
human  and  organizational  behavior,  business  management,  and  knowledge  management,  among  others 
[Haimes  1998]. 

B.  Information  Assurance  (lA) 

Information  assurance  is  the  trust  that  information  presented  by  the  system  is  accurate  and  is  properly 
represented;  its  measure  of  the  level  of  acceptable  risk  depends  on  the  critical  nature  of  the  system’s 
mission. 

lA  can  be  represented  by  the  following  three  state-of-the-system  attributes: 

•  Accuracy  (indicating  a  level  of  information  integrity) 

•  Representativeness  (indicating  a  level  of  correct  labeling  of  information) 

•  Criticality  (indicating  the  importance  of  the  system’s  mission). 
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Similar  to  the  attributes  of  quality,  each  of  the  above  three  dimensions  is  distinct  and  self-contained; 
however,  they  can  be  interrelated  in  some  cases.  More  specifically,  lA  is  a  quality  attribute  of  the 
information  in  both  the  input  and  output  of  the  system,  connoting  the  level  of  trust  that  can  be 
attributed  to  it  [Longstaflf  et  al.  2000]. 

C.  Importance  of  Trust 

A  central  tenet  of  the  vision  of  lA  is  building  and  codifying  trust  that  transcends  institutions, 
organizations,  decisionmakers,  professionals,  and  the  public  at  large.  The  leadership  of  organizations  will 
have  to  imbue  tmst  as  the  enabling  landmark  for  knowledge  management  in  order  to  lower,  if  not 
eliminate,  the  vertical,  horizontal,  external,  and  geographical  boundaries  among  the  multiple  partners  of 
the  newly  formed  Institute.  Undoubtedly,  achieving  this  laudable  goal  will  be  a  challenge  in  the  quest  to 
manage  change. 

In  sum,  a  holistic  vision  that  charts  the  path  for  an  organization’s  accomplishments  must  be  built  on  and 
sustained  by  trust.  Davenport  and  Pmsak  [1998]  advocate  three  tenets  for  the  establishment  of  tmst: 

•  Trust  must  be  visible. 

•  Trust  must  be  ubiquitous. 

•  Tmstworthiness  must  start  at  the  top. 

Building  on  these  three  foundations  of  tmst  to  realize  the  goals  of  lA  means  that: 

•  Successful  sharing  of  information  must  be  built  on  sustained  tmst. 

•  Trust  in  the  system  is  a  prerequisite  for  its  viability  (e.g.,  a  banking  system  that  loses  the  trust  of  its 
customers  ceases  its  viability). 

•  Trustworthiness  in  survivable  systems  depends  on  their  ability  to  be  adaptable  and  responsive  to  the 
dynamics  of  people’s  changing  expectations. 

•  Organizational  trust  cannot  be  achieved  if  the  various  internal  and  external  boundaries  dominate  and 
thus  stifle  communication  and  collaboration. 

•  Trust  in  the  validity  of  the  organization’s  mission  and  agenda  is  a  requisite  for  its  sustained 
efiectiveness  and  for  the  intellectual  productivity  of  its  employees;  otherwise,  the  trust  can  become 
transient  and  ineffective. 

D.  Knowledge  Management 

In  one  of  his  trilogies,  the  author  and  philosopher  Alvin  Toffler  [1990]  argues  that  the  challenge  we  face 
as  we  enter  the  new  century  is  not  merely  how  and  what  to  learn;  rather,  it  is  how  to  unlearn  and 
relearn.  Indeed,  the  evolving  learning  challenge  in  information  assurance  places  almost  insurmountable 
demands  professionals  trained  in  the  art  and  science  of  inlfastmcture  protection.  Very  few  institutions  of 
higher  education,  if  any,  have  responded  so  far  to  this  need  by  offering  relevant  courses,  revising  their 
curriculums,  or  by  introducing  undergraduate  and  graduate  degree  programs  in  this  area.  The 
knowledge  that  this  specialized  professionals  must  acquire  transcends  traditional  disciplines. 

In  a  seminal  paper.  Brooks  [2000]  offers  the  following  succinct  definition  of  knowledge  management, 
which  is  adapted  from  the  American  Productivity  and  Quality  Center: 


Knowledge  management:  Strategies  and  processes  to  create,  identify, 
capture,  organize,  and  leverage  vital  skills,  information,  and  knowledge  to 
enable  people  to  best  accomplish  the  organization  mission. 

For  survivable  dependable  systems.  Brooks’  comprehensive  definition  of  knowledge  management 
translates  into  a  seamless  organization  that  is  able  to  manage  and  bridge  its  vertical,  horizontal,  external, 
and  geographical  boundaries,  with  tmst  (as  defined  earlier)  at  the  center  of  its  core  values.  This 
definition  focuses  on  people  “in  whom  knowledge  tmly  resides” — the  major  asset  of  any  organization, 
private  or  public.  In  his  book  Intellectual  Capital,  Thomas  A.  Stewart  [1997]  highlights  the 
importance  of  knowledge  and  its  endemic  value  as  human  capital  to  organizations.  The  centrality  of 
knowledge  to  the  success  of  organizations  is  epitomized  by  the  visionary  thinking  of  Steve  Kerr,  Chief 
Learning  Officer  at  General  Electric,  who  argues  that  “knowledge  is  fungible  and  hoarding  knowledge  is 
an  ethical  violation.” 

In  their  book  Working  Knowledge,  Davenport  and  Pmsak  [1998]  share  with  the  reader  the  following 
knowledge-management  principles: 

•  Knowledge  originates  and  resides  in  people’s  minds. 

•  Knowledge -sharing  requires  tmst. 

•  Technology  enables  new  knowledge  behaviors. 

•  Knowledge -sharing  must  be  encouraged  and  rewarded. 

•  Management  support  and  resources  are  essential. 

•  Knowledge  is  creative  and  should  be  encouraged  to  develop  in  unexpected  ways. 

Davenport  and  Pmsak  [1998]  also  maintain:  “...[K]nowledge  generation  through  fusion  purposely 
introduces  complexity  and  even  conflict  to  create  new  synergy.”  Indeed,  tmst  within  and  among  toe 
diverse  managers  and  decisionmakers  in  charge  is  the  sine  qua  non  for  the  protection  and  survivability 
of  our  critical  inffastmctures.  In  particular,  such  an  imperative  trust  would  be  an  enabling  factor  in 
crossing  and  bridging  the  vertical,  horizontal,  external,  and  geographical  organizational  boundaries. 

Furthermore,  Brooks  [2000],  who  serves  as  the  Corporate  Knowledge  Strategist  of  the  National 
Security  Agency,  maintains  that: 

Knowledge  management  addresses  the  work  processes  that  help  people  create 
and  leverage  knowledge. .  .Knowledge  management  means  making  information 
available  effortlessly,  in  a  usable  form,  to  the  people  who  can  apply  it  in  their 
context,  so  that  it  is  actionable  and,  thereby  becomes  knowledge.  It  means 
getting:  the  right  information,  to  the  right  people,  in  the  right  format,  at  the  right 
time,  so  they  can  derive  knowledge,  and  do  their  jobs  better. 

Reflecting  on  Brooks’  concept  of  knowledge  management,  it  is  clear  that  current  information-protection 
efforts — ^public  and  private — cannot  meet  the  following  five  specific  needs: 

1.  Responding  to  strategic  threats,  such  as  integrated  political  and  economic  attacks. 

2.  Defending  across  inffastmcture  sectors. 


3.  Sharing  information  on  key  threats  and  effective  responses  has  obvious  value,  and  there  are  inherent 
critical  interdependencies.  Here,  the  national  objective  is  simple:  ensure  that  if  an  attacker  exploits 
vulnerabilities  in  some  unexpected  way,  the  overall  system  degrades  gracefully  rather  than  failing 
catastrophically. 

4.  Anticipating  and  preparing  for  major  threats,  calling  for  competing  parts  of  the  private  sector  to  work 
together  during  a  crisis. 

5.  Realizing  the  natural  synergies  among  all  proposed  National  Plan  programs.  The  programs  in  the 
National  Plan  will  be  much  less  effective  if  each  one  proceeds  in  isolation  from  the  others. 

The  emergence  of  willful  threats  to  our  critical  infrastmctures  has  deepened  the  gap  between  the 
demand  and  supply  for  expertise  in  this  area.  This  reemphasizes  the  urgent  need  for  effective  educational 
programs  and  technology  transfer.  Here  again,  we  borrow  from  Davenport  and  Prusak  [1998]  some  of 
the  principles  upon  which  an  effective  culture  of  knowledge  transfer  is  based: 

•  Build  relationships  and  trust  thi-ough  face-to-face  meetings. 

•  Create  common  ground  through  education,  discussion,  publications,  teaming,  job  rotation. 

•  Establish  times  and  places  for  knowledge  transfer:  fairs,  talk  rooms,  conference  reports. 

•  Evaluate  performance  and  provide  incentives  based  on  sharing. 

•  Educate  employees  for  flexibility;  provide  time  for  learning;  hire  for  openness  to  ideas. 

•  Eneourage  a  nonhierarehieal  approaeh  to  knowledge;  quality  of  ideas  is  more  important  than  the 
status  of  souree. 

•  Aeeept  and  reward  ereative  errors  and  eollaboration;  there  is  no  loss  of  status  from  not  knowing 
everything. 

In  sum,  edueational  programs  and  trust,  whieh  eonstitute  one  of  the  main  cornerstones  of  information 
assuranee,  must  be  grounded  on  the  eore  values  that  learning,  unlearning,  and  relearning  are  fundamental 
to  knowledge  management  and  to  our  quest  to  educate,  train,  and  enable  a  new  cadre  of  professionals 
who  can  be  entrusted  with  the  proteetion,  security,  and  survivability  of  our  national  critical 
infrastmctures. 
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